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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1308. 

1 . This communication is responsive to 27 March 2008 . 

2. The allowed claim(s) is/are 1-21 . 

3. □ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) □ All b)DSome* c) □ None of the: 

1. □ Certified copies of the priority documents have been received. 

2. □ Certified copies of the priority documents have been received in Application No. . 

3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1 ) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1. 84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 



Attachment(s) 

1 . ^ Notice of References Cited (PTO-892) 

2. □ Notice of Draftperson's Patent Drawing Review (PTO-948) 

3. S Information Disclosure Statements (PTO/SB/08), 

Paper No./Mail Date see attachment 

4. □ Examiner's Comment Regarding Requirement for Deposit 

of Biological Material 



5. □ Notice of Informal Patent Application 

6. □ Interview Summary (PTO-413), 

Paper No./Mail Date . 

7. □ Examiner's Amendment/Comment 

8. ^ Examiner's Statement of Reasons for Allowance 

9. □ Other . 

/Christopher A. Revak/ 
Primary Examiner, Art Unit 2131 
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DETAILED ACTION 

1 . This is in response to the communications filed on 27 March 2008. 

2. Claims 1-21 are pending in the application. 

3. Claims 1-21 have been allowed. 

Continued Examination Under 37 CFR 1.114 

4. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after allowance or after an Office action under Ex 
Parte Quayle, 25 USPQ 74, 453 O.G. 213 (Comm'r Pat. 1935). Since this application is eligible 
for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been 
timely paid, prosecution in this application has been reopened pursuant to 37 CFR 1.114. 
Applicant's submission filed on 27 March 2008 has been entered. 

Information Disclosure Statement 

5. The examiner has considered the information disclosure statement (IDS) filed on 27 March 
2008. 

Allowable Subject Matter 

6. Claims 1-21 are allowed. 

The following is an examiner's statement of reasons for allowance: 
The current application is directed towards a computerized method for reducing the false 
alarm rate of network intrusion detection systems includes receiving, from a network intrusion 
detection sensor, one or more data packets associated with an alarm indicative of a potential 
attack on a target host and identifying characteristics of the alarm from the data packets. The 
characteristics include at least an attack type and an operating system fingerprint of the target 
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host. The method further includes identifying the operating system type from the operating 
system fingerprint, comparing the attack type to the operating system type, and indicating 
whether the target host is vulnerable to the attack based on the comparison. 

The closest prior art to the current application is McClure et al U.S. Patent No. 7,152,105 
B2 (hereinafter McClure). McClure is directed towards a system and method provide 
comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, 
including identification of operating system, identification of target network topology and target 
computers, identification of open target ports, assessment of vulnerabilities on target ports, active 
assessment of vulnerabilities based on information acquired from target computers, quantitative 
assessment of target network security and vulnerability, and hierarchical graphical representation 
of the target network, target computers, and vulnerabilities in a test report. The system and 
method employ minimally obtrusive techniques to avoid interference with or damage to the 
target network during or after testing. 

However, there are differences between McClure and the current application. For 
example, McClure fails to disclose, teach, or suggest "receiving, from a network intrusion 
detection sensor, one or more data packets associated with an alarm indicative of a potential 
attack on a target host". McClure discloses that in order to "force" a response from the target 
computer, an intruder may send a malformed packet to a target port. While this known 
technique increases the likelihood that an open UDP port on the target computer can be 
identified, this technique also substantially increases the likelihood that the malformed packet 
could damage the target computer. Also, firewalls or routers may detect and filter out 
malformed packets, and such packets can alert the target network of an attempted security 
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breach. The intelligent UDP port scanning test in accordance with this embodiment of 
the present invention employs an efficient, less intrusive and more accurate method for 
scanning UDP ports on a target computer (McClure at 24:11-26). This passage relates to a 
technique for discovering host computers (live target computers), particularly to a technique for 
applying an Intelligent UDP Port Scanning test to each IP address on a scan list (McClure at 
22:31-38, 23:54, and 24:21-27). McClure discloses packets used to identify an operating system 
(McClure at 17:3618:3; see also McClure at 18:43-44). McClure fails to disclose, teach, or 
suggest "receiving, from a network intrusion detection sensor, one or more data packets associated 
with an alarm indicative of a potential attack on a target host". McClure discloses that the packets are 
RFC-compliant TCP packets (McClure at 14:41-56; see also McClure at 16:57-17:4). The RFC- 
compliant TCP packets, however, are not the malformed packets. The use of RFC-compliant TCP 
packets advantageously reduces the probability that the detection packets are blocked by a 
router or firewall, and greatly reduces the probability that the detection packets will cause 
damage or crashes at the target computer (McClure at 16:62-67). That is, the packets greatly 
reduce the problems associated with the malformed packets. As a result, McClure fails to 
disclose "receiving, from a network intrusion detection sensor, one or more data packets 
associated with an alarm indicative of a potential attack on a target host". McClure discloses that 
in the decision step 730, the process determines whether all the live target computers have been 
processed in TCP full connect scanning or whether all the batches of live target computers 
have been processed in TCP SYN scanning. If all the target computers or all the batches of 
target computers have been processed, the process ends. Otherwise, the process proceeds to a 
TCP service scan routine 740 wherein the process uses a TCP service discovery list 742 
to identify the TCP service ports to be examined for each target computer. As described above, 
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TCP packets are sent to the identified TCP service ports of each target computer, and the 
target computer vulnerability database 714 is updated for each target computer in accordance 
with whether a response is received or is not received from each target computer for 
each TCP service port scanned and using the known vulnerability database to obtain the 
vulnerability information for the particular TCP service ports that are determined to be open 
(McClure at 31:19-36). This passage of McClure also fails to disclose "receiving, from a network 
intrusion detection sensor, one or more data packets associated with an alarm indicative of a 
potential attack on a target host". McClure does not disclose, teach or suggest receiving any 
message from a network intrusion detection sensor, let alone receiving "one or more data 
packets associated with an alarm indicative of a potential attack on a target host". McClure 
discloses that "TCP packets are sent to the identified TCP service ports [identified using 
TCP discovery list 742] of each target computer, and the target computer vulnerability database 
714 is updated for each target computer in accordance with whether a response is received or is 
not received from each target computer for each TCP service port scanned and using the known 
vulnerability database to obtain the vulnerability information for the particular TCP service ports 
that are determined to be open" (McClure at 31:28-36). Updating a target computer 
vulnerability database or using a known vulnerability database, as discussed above, does not 
disclose, teach, or suggest receiving anything from a network intrusion detection system, let 
alone receiving from such a network intrusion detection system one or more data packets 
associated with an alarm indicative of a potential attack on a target host. As another example, 
McClure fails to disclose, teach, or suggest "identifying characteristics of the alarm from 
the data packets, including at least an attack type and an operating system fingerprint of the 
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target host," "comparing the attack type to the operating system type" and "indicating whether 
the target host is vulnerable to the attack based on the comparison". For example, McClure 
discloses sending messages to a target computer and saving responses from the target 
computer as fingerprints (Id. at 17:29-64). The fingerprints are then compared to a 
known database of fingerprints associated with various operating systems and operating system 
versions (Id. at 17:65-68). According to McClure, known fingerprints can be compiled through 
application of the above methodology to various target computers known to have a 
particular operating system before testing (Id. at 17:67-18:3). The remainder of the 
portion discloses various additional details related to the technique for identifying the operating 
system disclosed in McClure, including updating of the operating system fingerprint database, 
types of operating system fingerprints, and the types of messages that may be sent to the target 
computer to obtain responses from the target computer (Id. at 18:20-50). However, McClure 
does not appear to disclose, teach, or suggest "identifying characteristics of the alarm from the 
data packets, including at least an attack type and an operating system fingerprint of the target 
host," "comparing the attack type to the operating system type" and "indicating whether the 
target host is vulnerable to the attack based on the comparison". 

Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance." 
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Conclusion 

7. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Aravind K Moorthy/ 
Examiner, Art Unit 2131 
/Ayaz R. Sheikh/ 

Supervisory Patent Examiner, Art Unit 2131 



